[Samba] Samba4 with Posix ACL's

Andrew Bartlett abartlet at samba.org
Sun Apr 29 21:29:37 MDT 2012

On Sun, 2012-04-29 at 11:27 +0200, steve wrote:
> Hi everyone
> I'm setting up a report writing system for a school. All teachers need 
> rw access to the reports which are in a folder of the same name. 
> Teachers are in a group called teachers and there is a share called reports:
> [reports]
> 	path = /data/reports
> 	read only = No
> 	create mask = 0770
> /data/reports has a Posix ACL:
>   getfacl /data/reports
> getfacl: Removing leading '/' from absolute path names
> # file: data/reports
> # owner: root
> # group: teachers
> # flags: -s-
> user::rwx
> group::r-x
> other::---
> default:user::rwx
> default:group::rwx
> default:other::---
> and ls gives:
>   drwxr-s---+ 9 root teachers  4096 Apr 15 11:47 reports
> Under XP, everything works as expected. Only teachers can enter the 
> share and any report created becomes group rw. Perfect.
> In Windows 7, no one can enter. Clicking on the security tab we can see 
> the teachers group listed (so it must know something about group 
> ownership or the ACL or both) but nothing is ticked apart from 'special 
> permissions'. Administrator has to select read and write before the 
> teachers can enter. There is then a warning about setting permissions at 
> the root of the share.
> What have I done wrong?
> Does w7 under Samba4 understand Posix ACL and group rw stuff?

No, Samba4's ntvfs files server does not understand posix ACLs.  It will
attempt to honour them (by being the user in question when accessing the
file system), but if an NT ACL is set, then it will use root rights to
override this and honour the NT ACL. 

This is one of the many reasons why we are working on s3fs.  When we are
happy with it, we will make it the default, but until then we can only
ask for your patience, and do not recommend the Samba4 DCs be used as
general file servers (ie, use it only for netlogon and sysvol).

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list